cmake: decouple `FORTIFY_SOURCE` check from `Debug` build type

fanquake commented at 3:36 pm on September 5, 2024: member

FORTIFY_SOURCE should be used if ENABLE_HARDENING=ON and optimisations are being used. This should not be coupled to any particular build type, because even if the build type is Debug, optimisations might still be in use.

Fixes: #30800. Also somewhat of a followup to #30778 (review).

cmake: decouple FORTIFY_SOURCE check from Debug build type

`FORTIFY_SOURCE` should be used if `ENABLE_HARDENING=ON` and optimisations
are being used. This should not be coupled to any particular build type,
because even if the build type is `Debug`, optimisations might still
be in use.

Fixes: #30800.

30803a35d5

DrahtBot commented at 3:36 pm on September 5, 2024: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	ryanofsky, TheCharlatan

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

DrahtBot added the label Build system on Sep 5, 2024

fanquake commented at 3:36 pm on September 5, 2024: member

Not sure about the inline source formatting. cc @hebasto.

in CMakeLists.txt:489 in 30803a35d5

484+    # _FORTIFY_SOURCE requires that there is some level of optimization,
485+    # otherwise it does nothing and just creates a compiler warning.
486     try_append_cxx_flags("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
487       RESULT_VAR cxx_supports_fortify_source
488+      SOURCE "int main() {
489+              # if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0

hebasto commented at 3:40 pm on September 5, 2024:

Could you provide a few links that confirm this code checks the source fortification feature?

fanquake commented at 3:42 pm on September 5, 2024:

This just checks that optimisations are in use, which is when we want to use it, using the same approach as glibc: https://github.com/bminor/glibc/blob/4945ffc88a8ad49280bae64165683ddfd12b2390/include/features.h#L421.

fanquake commented at 3:45 pm on September 5, 2024:

i.e The new code should be performing the same tests as master, except that, rather than outsourcing the check for optimisations to a test of whether or not the build mode is Debug, it tests if optimisations are being used directly.

ryanofsky commented at 5:01 pm on September 5, 2024:

The check above reminds me of the part of the XZ backdoor where the attacker inserted a single . character to disable a linux security feature in a similar cmake check:

https://git.tukaani.org/?p=xz.git;a=blobdiff;f=CMakeLists.txt;h=d2b1af7ab0ab759b6805ced3dff2555e2a4b3f8e;hp=76700591059711e3a4da5b45cf58474dac4e12a7;hb=328c52da8a2bbb81307644efdb58db2c422d9ba7;hpb=eb8ad59e9bab32a8d655796afd39597ea6dcc64d

So I think it might be useful to add a sanity check to confirm that cxx_supports_fortify_source is actually true in release builds:

0if(NOT cxx_supports_fortify_source AND CMAKE_BUILD_TYPE MATCHES "Release")
1    message(FATAL_ERROR "Error: Current release build flags are incompatible with fortify_source")
2endif()

Separately, one theoretical drawback of this new implementation is it probably disables fortify source unconditionally in multi-configuration cmake backends like visual studio and xcode, whereas the previous $<$<NOT:$<CONFIG:Debug>>: generator expression was more flexible and it could enable fortify source in release configurations while disabling it in debug configurations. But I think this doesn’t matter in practice because source fortification is a GNU feature which presumably doesn’t work in visual studio or xcode anyway.

fanquake commented at 5:10 pm on September 5, 2024:

I am certainly open to additional approaches in regards to the (potential fragility) of inline source.

So I think it might be useful to add a sanity check to confirm that cxx_supports_fortify_source is actually true in release builds:

I have a PR to try and do this in #27038.

ryanofsky commented at 5:13 pm on September 5, 2024:

I have a PR to try and do this in #27038.

Nice that seems potentially more reliable than suggested sanity check

maflcko commented at 10:14 am on September 9, 2024:

Wouldn’t it be simpler to upgrade the warning to an error with -Werror=cpp? This should avoid the need for any C++ source code?

fanquake commented at 10:20 am on September 9, 2024:

Can you elaborate? The issue is that one of the warnings is something we don’t want to turn into an error, otherwise the check will fail incorrectly. See: #30800 (comment).

maflcko commented at 10:35 am on September 9, 2024:

Ah right, I missed that this requires GCC 12, or later. It could make sense to first detect that (https://github.com/bitcoin/bitcoin/pull/27027#issuecomment-1460007675), however I am not sure if this is worth it, given that GCC11 support may be dropped at some point in the future.

fanquake commented at 10:44 am on September 9, 2024:

Yea, I’m not sure that making this logic more complicated is worth it, to suppress (harmless) warnings, given that hardening also continues to work for GCC 11 & FORTIFY=3 (2).

ryanofsky approved

ryanofsky commented at 5:14 pm on September 5, 2024: contributor

Code review ACK 30803a35d54acda19ded88474c205f8954fea5e1

TheCharlatan approved

TheCharlatan commented at 10:04 am on September 9, 2024: contributor

ACK 30803a35d54acda19ded88474c205f8954fea5e1

Tested by adding -DAPPEND_CXXFLAGS="-O0" to the build configuration.

fanquake merged this on Sep 9, 2024

fanquake closed this on Sep 9, 2024

fanquake deleted the branch on Sep 9, 2024

cmake: decouple FORTIFY_SOURCE check from Debug build type #30824

Code Coverage

Reviews

cmake: decouple `FORTIFY_SOURCE` check from `Debug` build type #30824